Enterprises may maintain large computer systems to facilitate and support their endeavors. Individuals of such enterprises may utilize these computer systems to perform various activities or job functions. A principle of information security management holds that individuals should only be authorized to access computing resources necessary to carry out their assigned job functions. Accordingly, another principle of information security may recommend periodic access reviews to verify that individuals only capable of accessing computing resources those individuals are authorized to access.
If an access review reveals that an individual is capable of accessing a computing resource that the individual is not authorized to access, such access may be revoked for that individual. In this way, the security of the computing systems and its resources are maintained. One or more individuals of the enterprise may be responsible for conducting the access reviews, e.g., a manager. Large enterprises, however, may include thousands of individuals, and each individual may be associated with dozens—if not hundreds—of entitlements. For managers that manage multiple individuals, conducting access reviews for those individuals can be a challenge. For example, a manager that manages a dozen individuals each having an average of a hundred entitlements may be tasked with reviewing over a thousand entitlements during access reviews for those individuals. Such an endeavor is not only time-consuming, access reviews for so many entitlements may limit the ability of a manager to perform other managerial duties.
Therefore, a need exists for an improved approach to conducting access reviews that reduces the number of entitlements requiring review by a manager without negatively impacting the access risk to an enterprise.